CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31628 – x86/CPU: Fix FPDSS on Zen1
https://notcve.org/view.php?id=CVE-2026-31628
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit. • https://git.kernel.org/stable/c/f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31627 – i2c: s3c24xx: check the size of the SMBUS message before using it
https://notcve.org/view.php?id=CVE-2026-31627
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver. • https://git.kernel.org/stable/c/85747311ecb6167c989093c64a13807366fdd3a9 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31626 – staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
https://notcve.org/view.php?id=CVE-2026-31626
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b • CWE-908: Use of Uninitialized Resource •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31624 – HID: core: clamp report_size in s32ton() to avoid undefined shift
https://notcve.org/view.php?id=CVE-2026-31624
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b4191858... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31623 – net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
https://notcve.org/view.php?id=CVE-2026-31623
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers. Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx dri... • https://git.kernel.org/stable/c/87cf65601e1709e57f7e28f0f7b3eb0a992c1782 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31622 – NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
https://notcve.org/view.php?id=CVE-2026-31622
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A... • https://git.kernel.org/stable/c/2c66daecc4092e6049673c281b2e6f0d5e59a94c • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31619 – ALSA: fireworks: bound device-supplied status before string array lookup
https://notcve.org/view.php?id=CVE-2026-31619
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value. Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings. Fix this up by properly... • https://git.kernel.org/stable/c/bde8a8f23bbe6db51fa4e81644273af18fef3d7a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31618 – fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
https://notcve.org/view.php?id=CVE-2026-31618
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-369: Divide By Zero •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31617 – usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
https://notcve.org/view.php?id=CVE-2026-31617
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely. The same underflow occurs in the datagram index checks... • https://git.kernel.org/stable/c/2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31616 – usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
https://notcve.org/view.php?id=CVE-2026-31616
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->r... • https://git.kernel.org/stable/c/b91cd1440870f7a0649e570498b7b93caf9f781c • CWE-401: Missing Release of Memory after Effective Lifetime •